CFLDAP query - use to authenticate network user

Report · Feb 12, 2008

Greeting

I have set up a successful cfldap query which will return all users in Active Directory.

If the user has logged into the network, I want them to give them a view of certain data that someone outside the network cannot access.

I tried to send the internal user through an authentication page:

<cfldap action="QUERY"
name="results"
attributes="userPrincipalName" (which is their email address)
start="dc=xxxx,dc=xxxx"
scope="SUBTREE"
filter="(&(objectCategory=user)(userPrincipalName=*))"
server="DC1.xxxx"
username="master\administrator"
password="xxxx">

This queries the AD as the admin because a second login by the user is what I am trying to avoid.

<CFIF .........?>

<cfset Session.user_id = results.userPrincipalName>

<cflocation url="switchboard.cfm" addtoken="No">

<cfelse>

<cflocation url="cannotauthenticate.cfm" addtoken="No">

</CFIF>

Is there any way to accomplish this?

Thanks

rinorman

Report · Feb 12, 2008

Are you using a windows server? Why not just make use of Integrated Windows Authentication?

In Response To tclaremont · Jan 22, 2018

Hello tclaremont,

Do you have any reference Docs of how to use IWA with aem?

Thanks,

Report · Feb 12, 2008

Thanks for you response. I do have a windows server, however, when I tried initiating IWA , it prompts for a un and pw anyway.

This may have something to do with the network configuration?

We have a Watchguard firewall through which the webserver needs to pass to see the AD on DC1?

Thanks again...

In Response To newportri · Feb 23, 2008

I'm not really sure what you are trying to do. You can query AD, via CFLDAP, to retrieve information about the account.

If you are trying to authentication the user, you only need to use Windows or browser authentication. This will bounce against AD automatically. However, if you create a custom login form, you can use LDAP to authenticate the user.

If you create your own login form, you can still attempt to run the CFLDAP tag using the user's username/password, rather than an admin's username/password. Wrap the CFLDAP tag in CFTRY/CFCATCH to handle any errors.

Report · Feb 25, 2008

Michael:

Thanks for your response.

My original intent was to try to avoid a second login screen for users already logged onto the network- so they would be allowed an internal view of data vs the outside view.

The LDAP query method does return all users, but there is no way I know of to compare the results of the query to anything- IOW if the user is in AD and they are logged on, let them see the data without the need to use another Windows logon prompt, even though it's the same un pw as their NT un pw.

I hope I cleared up what it is I'm trying to do.

Thanks again

rinorman

In Response To newportri · Feb 25, 2008

You have two issues.

1. You need to use Windows Integrated Authentication to ensure that an internal person doesn't have to log in twice.

2. You need to determine what will control access to your resources. I would suggest using domain groups to control the access.

Your CFLDAP query should pass the user's username and password and filter on sAMAccountname = "CGI.auth_user". That would return only the logged-in user's information, such as "memberOf" to get the group membership.

In Response To Michael8 · Jan 22, 2018

Hello Michael,

Do you have any reference Docs on how to use IWA with aem? How IWA communicates with AEM?

Thanks,

Adobe Community

CFLDAP query - use to authenticate network user